Kyle Rose
Last modified: 2012-Jan-12
Last modified: 2012-Jan-12
I prefer email to instant messages or phone calls because I can answer emails asynchronously. Currently, you should send mail only to krose@krose.org.
If you receive an email from me, you may notice that it looks something like the following:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Test message -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iEYEARECAAYFAkXabJQACgkQ1OOn6m3a03cs9QCZAcg2kaAyfX8lhKhO2reP7w8Z S1gAnjtmQf775j5PgWdTLzHxAb6uS70c =fHXi -----END PGP SIGNATURE-----
This is a digitally signed message, where the signature is the gibberish near the end. The purpose of a digital signature is to verify that I have, in fact, written the message, because only a person with my private signing key can easily produce a valid signature for any chosen nontrivial natural language message.
(Note: you need to take care regarding what you trust in a particular message. I.e., only the text between the "BEGIN PGP SIGNED MESSAGE" and "BEGIN PGP SIGNATURE" can be trusted; in particular, the headers are not signed, so unless you see the address of the key that authenticated the message, don't trust that it came from the person listed on the From: header! Signing master keys and identities is precisely the basis of the PGP web of trust.)
To verify the signatures on my messages, get GnuPG and download my public signing/encryption key set:
pub 4096R/333905F5 2002-05-11 uid Kyle Rose (http://www.krose.org/~krose/) <krose@krose.org> sub 2048R/7A6E30F1 2006-03-13 [expires: 2009-03-12] sub 1024D/8406AF60 2008-03-28 [expires: 2009-09-19]
The primary key (4096R) is a 4096-bit RSA signing key that I use to sign other keys (both my subkeys and others' keys). This key never expires.
The DSA subkey (1024D) is a 1024-bit DSA (Digital Signature Algorithm) key used only for signing messages. Currently, this is the key I use for signing my email. Due to its short length, I generate a new DSA subkey once a year.
The other subkeys (2048g El-Gamal and 2048R RSA) are encryption keys. You should use one of these keys to encrypt messages to me.
I like encryption. Please send me encrypted email, even if it is not sensitive in nature. Only by the experts' use of encryption will it gain credibility in a legal setting and in society at large. Because I use Mozilla Thunderbird with Enigmail, reading encrypted mail is reasonably trivial.
If you receive a signed message whose signature is verified by one of my keys, you can be almost positive that I sent it. The exceptions are:
Nonethless, if a message signed with my key seems suspicious, you should verify it with me first. If nothing else, it will lead me to issue a key revocation certificate if I did not actually write the message.
You should use the above key, even if you find others on the PGP public key servers. Unfortunately, the public key servers do not recognize revocation certificates generated by GnuPG, and there is no way to generate a revocation certificate for an El-Gamal encryption/signing key using PGP.
My AIM ID is "squarooticus". My Jabber/XMPP/GoogleTalk address is my email address, "krose@krose.org". I use GAIM's OTR (Off The Record) plugin for security. My OTR fingerprints are:
But of course you shouldn't really trust them if this page isn't being served via SSL or you are lacking the cacert.org root certificate. If you have something really confidential to tell me, call me and verify the fingerprint over the phone first.